What causes AADSTS50098?

Client assertion JWT is missing a required claim (`aud`, `iss`, `sub`, `jti`, `exp`, or `nbf`) when authenticating a service principal with a certificate. Wrong `aud` value — should be `https://login.microsoftonline.com/{tenantId}/v2.0` (v2) or `https://login.microsoftonline.com/{tenantId}/oauth2/token` (v1), not the resource URL. `iss` and `sub` not both set to the application (client) ID of the service principal. Custom OIDC/SAML token built by middleware (API gateway, custom connector, on-prem federation) that drops claims during signing. Expired or not-yet-valid token — `exp`/`nbf` outside the allowed clock skew window

How do I fix AADSTS50098?

Decode the failing JWT at jwt.ms and check which claim is missing — the `{field}` placeholder in the error usually maps to `aud`, `iss`, `sub`, `exp`, or `nbf`. If you're using a service principal with certificate auth (Power BI embedded, ADF linked services, Fabric capacity automation), rebuild the client_assertion so `iss` = `sub` = app (client) ID, and `aud` = the v2.0 token endpoint for your tenant. Verify the JWT is signed with the private key matching a certificate uploaded to the App Registration → Certificates & secrets, and that `x5t` in the header matches the cert thumbprint. For ADF/Fabric pipelines using a custom REST linked service, switch to System-assigned Managed Identity or Service Principal auth instead of hand-crafted JWTs — Azure handles the token body for you. If a third-party tool (Tableau, Qlik, custom OIDC IdP) generates the assertion, update it to the latest connector version; older builds omit `nbf` or use deprecated `aud` values

Low severityauthentication

Power BI Error:
AADSTS50098, JWT body missing required field

What does this error mean?

The JWT sent to Microsoft Entra ID is missing a required claim in its body, so token validation fails.

Common causes

1Client assertion JWT is missing a required claim (`aud`, `iss`, `sub`, `jti`, `exp`, or `nbf`) when authenticating a service principal with a certificate
2Wrong `aud` value — should be `https://login.microsoftonline.com/{tenantId}/v2.0` (v2) or `https://login.microsoftonline.com/{tenantId}/oauth2/token` (v1), not the resource URL
3`iss` and `sub` not both set to the application (client) ID of the service principal
4Custom OIDC/SAML token built by middleware (API gateway, custom connector, on-prem federation) that drops claims during signing
5Expired or not-yet-valid token — `exp`/`nbf` outside the allowed clock skew window

How to fix it

1Decode the failing JWT at jwt.ms and check which claim is missing — the `{field}` placeholder in the error usually maps to `aud`, `iss`, `sub`, `exp`, or `nbf`
2If you're using a service principal with certificate auth (Power BI embedded, ADF linked services, Fabric capacity automation), rebuild the client_assertion so `iss` = `sub` = app (client) ID, and `aud` = the v2.0 token endpoint for your tenant
3Verify the JWT is signed with the private key matching a certificate uploaded to the App Registration → Certificates & secrets, and that `x5t` in the header matches the cert thumbprint
4For ADF/Fabric pipelines using a custom REST linked service, switch to System-assigned Managed Identity or Service Principal auth instead of hand-crafted JWTs — Azure handles the token body for you
5If a third-party tool (Tableau, Qlik, custom OIDC IdP) generates the assertion, update it to the latest connector version; older builds omit `nbf` or use deprecated `aud` values

Frequently asked questions

What does AADSTS50098 mean?

JWT body must contain '{field}'.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes